Do you keep your website in CVS and check it out to your server? If so, unless you have taken special security precautions, you are exposing information.
If you have checked-out from CVS, you will have CVS dirs in your tree. It's easy to just do this:
http://domain.com/CVS/Entries
To see all files in that directory.
Also, when you update and a backup file is created:
http://domain.com/.%23index.php.1.2
To protect yourself, put this in your Apache config:
# Don't serve CVS revisions
<Files ~ "^\.#">
Order allow,deny
Deny from all
</Files>
# Don't serve CVS dirs
<Directory ~ ".*\/CVS\/.*">
Order allow,deny
Deny from all
</Directory>